CN103944724A

CN103944724A - User identity identification card

Info

Publication number: CN103944724A
Application number: CN201410156521.6A
Authority: CN
Inventors: 李东声
Original assignee: Tendyron Technology Co Ltd
Current assignee: Tendyron Technology Co Ltd
Priority date: 2014-04-18
Filing date: 2014-04-18
Publication date: 2014-07-23
Anticipated expiration: 2034-04-18
Also published as: CN103944724B; HK1199984A1; WO2015158172A1

Abstract

The invention provides a user identity identification card. The user identity identification card comprises a communication module, a safety certificating module, a right control module, a security protection module, a security storage module, a public key algorithm module, a symmetric algorithm module, a random number module, a hash module and a processing module. The communication module is used for receiving and outputting information. The safety certificating module is used for carrying out the safety certification on the user identity information and the user operation information. The right control module is used for carrying out right control on calling of the processing module for various modules, the security protection module is used for at least carrying out the protection operation on the operation of the public key algorithm module, the symmetric algorithm module, the random number module and/or the hash module, and the security storage module is used for at least storing a private key for carrying out signature calculation and a negotiation secret key for carrying out encryption and decryption calculation and/or verifying calculation. The public key algorithm module is used for carrying out signature calculation. The symmetric algorithm module is used for carrying out encryption and decryption calculation and/or verifying calculation. The random number module is used for generating random factors. The hash module is used for carrying out hash calculation. The processing module is used for calling all the modules. According to the user identity identification card, data transmission can be safely carried out.

Description

User identity identification card

Technical Field

The invention relates to the technical field of electronics, in particular to a user identity identification card.

Background

With the great convenience brought to people by the rapid development of the network, people increasingly rely on the network to perform various activities, such as the transmission of network files and online banking transactions, which become indispensable parts in the life and work of people gradually. Since the network is a virtual environment and there are many unsafe factors, network activities of data interaction, especially network activities such as internet banking and transmission of confidential information, are inevitably performed in the network environment, which puts high demands on the security of the network, and people are beginning to vigorously develop network information security technologies.

However, with the rapid development of the mobile phone technology, mobile phone terminals are increasingly used to replace computers, but there is no solution for the mobile phone terminals to safely perform internet banking and/or confidential information transmission, and the user identification card used in the mobile phone only has a data transmission function and does not have other functions that are safer.

Disclosure of Invention

The present invention is directed to solving one of the problems set forth above.

The invention mainly aims to provide a user identification card.

In order to achieve the purpose, the technical scheme of the invention is realized as follows:

one aspect of the present invention provides a user identification card, including: the system comprises a processing module, a communication module, a security authentication module, a permission control module, a security protection module, a security storage module, a public key algorithm module, a symmetric algorithm module, a random number module and a hash module;

the communication module is used for receiving and outputting information;

the security authentication module is used for performing security authentication on the user identity information and the user operation information;

the authority control module is used for carrying out authority control on the calling of each module by the processing module;

the safety protection module is used for at least carrying out protection operation on the operations of the public key algorithm module, the symmetric algorithm module, the random number module and/or the hash module;

the secure storage module is used for at least storing a private key for signature calculation and a negotiation key for encryption, decryption calculation and/or verification calculation;

the public key algorithm module is used for carrying out signature calculation;

the symmetric algorithm module is used for performing encryption and decryption calculation and/or verification calculation;

a random number module for generating a random factor;

the hash module is used for carrying out hash calculation;

the processing module is used for calling the information receiving and outputting of the communication module, calling the authentication result after the authentication of the security authentication module, calling the protection operation of the security protection module, calling the information stored in the security storage module, calling the calculation of the public key algorithm module, calling the calculation of the symmetric algorithm module, calling the random factor generated by the random digital module, calling the hash calculation of the hash module, and calling each module according to the authority of the authority control module.

In addition to this, the present invention is,

the communication module is further configured to receive first authentication information and information to be processed, and output second authentication information, second ciphertext information, and processing information, where the first authentication information at least includes: the authentication method comprises the steps that first ciphertext information, ciphertext signature information and a certificate to be authenticated are obtained, wherein the first ciphertext information at least comprises a first random factor and a second random factor, and the ciphertext signature information is a signature carried out on the first ciphertext information; the second authentication information includes at least: the second ciphertext information at least comprises the second random factor and a third random factor;

the safety storage module is also used for storing a private key of a user identity identification card, a certificate of the user identity identification card and a public key of the certificate to be authenticated;

the public key algorithm module is used for carrying out signature verification calculation on the ciphertext signature information through a public key of the certificate to be authenticated and carrying out authentication calculation on the certificate to be authenticated;

the symmetric algorithm module is further configured to perform decryption calculation on the first ciphertext information, and perform encryption calculation on at least the second random factor and the third random factor to obtain second ciphertext information;

a random number module further configured to generate the first random factor and the third random factor;

the processing module is further configured to invoke the public key algorithm module to perform signature verification calculation on the ciphertext signature information after the public key algorithm module is invoked to perform authentication on the certificate to be authenticated, invoke the symmetric algorithm module to decrypt the first ciphertext information after the signature verification is passed, obtain the second random factor, invoke the third random factor generated by the random number module, and invoke the symmetric algorithm module to perform encryption calculation on the second random factor and the third random factor, so as to obtain the second ciphertext information.

In addition to this, the present invention is,

the communication module is also used for receiving the first check information and the information to be processed and outputting second check information and processing information; the first check information is obtained through calculation of a first random factor, and the second check information is obtained through calculation of a second random factor;

the safety storage module is also used for storing a private key of the user identity identification card, a first secret key and a second secret key for verification;

the symmetric algorithm module is further configured to perform check calculation on the first check information through the first key, and perform check calculation on a second random factor through the second key to obtain second check information;

a random number module further configured to generate at least the second random factor;

the processing module is further configured to call the first key stored in the secure storage module and the symmetric algorithm module to verify the first verification information, call the second random factor generated by the random number module after the verification is passed, and call the symmetric algorithm module to perform verification calculation on the second random factor to obtain the second verification information.

In addition to this, the present invention is,

the communication module is also used for receiving the first ciphertext information and the information to be processed and outputting second ciphertext information and processing information; the first ciphertext information is obtained by carrying out encryption calculation on a first random factor through a public key of a user identity identification card, and the second ciphertext information is obtained by carrying out encryption calculation on a second random factor through a public key of a module to be interacted;

the safe storage module is also used for storing a private key of the user identity identification card and a public key calculation algorithm for generating a public key of the module to be interacted;

the public key algorithm module is also used for generating a public key of the module to be interacted according to the public key calculation algorithm and the identification information of the module to be interacted;

the symmetric algorithm module is further configured to perform decryption calculation on the first ciphertext information through a private key of the user identity card, and perform encryption calculation on the second random factor through a public key of the module to be interacted;

the processing module is further configured to invoke the symmetric algorithm module to decrypt the first ciphertext information according to a private key of the user identity card to obtain a first random factor, invoke the public key calculation algorithm stored in the secure storage module and the public key algorithm module to generate a public key of the module to be interacted, invoke the second random factor generated by the random module, and invoke the symmetric algorithm module to perform encryption calculation on the second random factor according to the public key of the module to be interacted to obtain second ciphertext information.

In addition to this, the present invention is,

the processing information includes: the symmetric algorithm module carries out encryption calculation on signature information according to the negotiation key to obtain encrypted information, wherein the signature information is obtained by carrying out signature calculation on the information to be processed by the public key algorithm module according to a private key of the user identity identification card; or

The processing information includes: the symmetric algorithm module checks and calculates signature information according to the negotiation key to obtain check information and the signature information, wherein the signature information is obtained by signature calculation of the public key algorithm module on the information to be processed according to a private key of the user identity identification card; or

The processing information includes: the symmetric algorithm module carries out encryption calculation on signature information according to the negotiation key to obtain encryption information and verification information obtained by carrying out verification calculation on the signature information, wherein the signature information is obtained by carrying out signature calculation on the information to be processed by the public key algorithm module according to a private key of the user identity identification card; or

The processing information includes: the symmetric algorithm module carries out encryption calculation on signature information according to the negotiation key to obtain encryption information and verification information obtained by carrying out verification calculation on the encryption information, wherein the signature information is obtained by carrying out signature calculation on the information to be processed by the public key algorithm module according to a private key of the user identity identification card.

In addition, the processing module is further configured to invoke the hash calculation of the hash module to obtain the signature information when the public key algorithm module performs signature calculation on the information to be processed according to the private key of the user identification card.

In addition, the symmetric algorithm module is further configured to perform decryption calculation and/or verification calculation on the information to be processed.

Further, the communication module includes: serial port, USB interface, NFC interface, bluetooth interface, infrared interface, button or audio interface.

Further, the guarding operations include: frequency scrambling, power consumption scrambling, computational scrambling or balanced computation.

In addition, the authority control module is also used for controlling the execution of codes and/or application programs.

According to the technical scheme provided by the invention, the data transmission can be safely carried out through the user identity identification card with the safety function.

The user identification card of the invention is matched with the security part of the mobile phone for common use so as to realize the safe execution of the online banking business and/or the confidential information transmission of the mobile phone.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on the drawings without creative efforts.

Fig. 1 is a schematic structural diagram of a user identification card provided in the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention are clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present invention without making any creative effort, shall fall within the protection scope of the present invention.

In the description of the present invention, it is to be understood that the terms "center", "longitudinal", "lateral", "up", "down", "front", "back", "left", "right", "vertical", "horizontal", "top", "bottom", "inner", "outer", and the like, indicate orientations or positional relationships based on those shown in the drawings, and are used only for convenience in describing the present invention and for simplicity in description, and do not indicate or imply that the referenced devices or elements must have a particular orientation, be constructed and operated in a particular orientation, and thus, are not to be construed as limiting the present invention. Furthermore, the terms "first," "second," and the like are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or quantity or location.

In the description of the present invention, it should be noted that, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, e.g., as meaning either a fixed connection, a removable connection, or an integral connection; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art.

Embodiments of the present invention will be described in further detail below with reference to the accompanying drawings.

The user identification card of the invention can be any one of the following cards: SIM (Subscriber Identity Module) card, UIM (user Identity Module) card, USIM card, PIM card and the like, wherein the cards expand the safety function on the basis of the existing functions, thereby being matched with the mobile phone to realize the function of safely executing the online banking service and/or the confidential information transmission.

In addition, the user identification card of the invention needs to be matched with a mobile phone with a safety function for use, so as to ensure that the mobile phone with the safety function and the user identification card of the invention can jointly complete the functions of online banking business and/or confidential information transmission.

Fig. 1 shows a schematic structural diagram of a user identification card according to embodiment 1 of the present invention, and referring to fig. 1, the user identification card according to embodiment 1 of the present invention includes: the system comprises a communication module 101, a security authentication module 102, a permission control module 103, a security protection module 104, a security storage module 105, a public key algorithm module 106, a symmetric algorithm module 107, a random number module 108, a hash module 109 and a processing module 110; wherein,

the communication module 101 is used for receiving and outputting information; specifically, the communication module 101 may receive the call from the processing module 110, so as to receive the information sent by the secure part of the mobile phone with the security function, which is used in match with the user identification card, and output various types of information generated by the user identification card to the secure part of the mobile phone. The communication module 101 may be any interface such as a serial port, a USB interface, an NFC interface, a bluetooth interface, an infrared interface, a button, or an audio interface.

The security authentication module 102 is configured to perform security authentication on the user identity information and the user operation information; specifically, the security authentication module 102 may receive the call of the processing module 110, perform security authentication on identity information input by the user through a mobile phone or in other manners, and also perform security authentication on operation information of the user, for example, operations such as reading operation, and the security authentication module 102 may set different security levels according to different users, so as to complete a security authentication function according to the identities and/or operations of different users.

The authority control module 103 is used for performing authority control on the calling of each module by the processing module 110; specifically, the authority control module 103 may receive the call of the processing module 110, and cooperate with the processing module 110 to complete the call of the processing module 110 to each module, thereby controlling the call of the processing module 110. Of course, the authority control module 103 may also control the execution authority of the code and/or the application program to ensure the security of the information, the function and the application.

A security protection module 104, configured to perform protection operations on at least operations of the public key algorithm module 106, the symmetric algorithm module 107, the random number module 108, and/or the hash module 109; specifically, when the public key algorithm module 106 performs signature calculation, and when the symmetric algorithm module 107 performs encryption/decryption calculation and/or verification calculation, protection is performed in the calculation through the call of the processing module 110. Therefore, attack analysis such as energy analysis or electromagnetic analysis can be resisted, the difficulty of calculation and cracking is improved, and the safety of various information calculations is improved. Wherein the guard operation may include: the protection operation can also be balanced calculation and other operations, as long as the purpose of safety protection and the operation of preventing attack and the like can be realized, and the protection method belongs to the protection scope of the invention. Wherein, the security protection module 104 performs protection operation on at least the computing operation of the public key algorithm module 106 and/or the symmetric algorithm module 107.

A secure storage module 105, configured to store at least a private key for performing signature calculation and a negotiation key for performing encryption/decryption calculation and/or verification calculation; specifically, the secure storage module 105 may store at least secure information such as a security key and a negotiation key, and receive the call from the processing module 110, so as to cooperate with other modules to complete the security function of the user identification card. The private key for signature calculation can not be taken out at all, and the storage safety of the private key is improved.

A public key algorithm module 106, configured to perform signature calculation; specifically, the public key algorithm module 106 performs signature calculation according to a private key (in the present invention, the private key of the user identification card) for performing signature calculation stored in the secure storage module 105 during the invocation of the processed module 110, so as to implement the security function of the user identification card.

A symmetric algorithm module 107, configured to perform encryption/decryption calculation and/or verification calculation; specifically, in the present invention, the processing module 110 may invoke the symmetric algorithm module 107 to perform encryption/decryption calculation and/or verification calculation on the information that is output to the security portion of the mobile phone by the user identification card and is sent to the user identification card by the security portion of the mobile phone, so as to ensure that the information transmission between the security portion of the mobile phone and the user identification card is not tampered, thereby improving the security.

A random number module 108 for generating a random factor; specifically, the random number module 108 may be called by the processing module 110 by the random factor generated by the processing module 110, so that the random factor may be sent to the secure part of the mobile phone and the random factor sent by the secure part of the mobile phone may be received at the same time, so that the processing module 110 may generate a negotiation key for information interaction between the secure part of the mobile phone and the user identification card according to the random factors of one or both of the parties, thereby improving the security of information interaction between the secure module of the mobile phone and the user identification card; in addition, the random factor can be increased every time information transmission is carried out, and replay attack is prevented.

A hash module 109 for performing hash calculation; specifically, the hash module 109 may receive the call of the processing module 110, and when the processing module 110 calls the public key algorithm module 106 to perform signature calculation on information according to the private key of the user identification card, the hash calculation is performed in cooperation to obtain signature information, so as to complete the security function of the user identification card.

The processing module 110 is configured to call information reception and output of the communication module 101, call an authentication result after authentication by the security authentication module 102, call a protection operation of the security protection module 104, call information stored in the security storage module 105, call calculation of the public key algorithm module 106, call calculation of the symmetric algorithm module 107, call a random factor generated by the random number module 108, call hash calculation of the hash module 109, and call each module according to a permission of the permission control module 103. Specifically, the processing module 110 may implement calling for each of the above modules so as to complete the security function of the user identification card in a matching manner.

Therefore, the user identification card with the safety function can safely transmit data.

The user identification card of the invention is used together with the security part of the mobile phone to realize the safe execution of the online banking business and/or the confidential information transmission of the mobile phone.

Example 1

In this embodiment, the structure of the user identification card is as shown in fig. 1, and in this embodiment, a negotiation key is generated between the user identification card and the security part of the mobile phone in a mutual authentication certificate manner, so that the user identification card and the security part of the mobile phone perform secure transmission of information by using the generated negotiation key. Wherein:

the communication module 101 is specifically configured to receive first authentication information and information to be processed, and output second authentication information, second ciphertext information, and processing information, where the first authentication information at least includes: the authentication method comprises the steps that first ciphertext information, ciphertext signature information and a certificate to be authenticated are included, the first ciphertext information at least comprises a first random factor and a second random factor, and the ciphertext signature information is a signature carried out on the first ciphertext information; the second authentication information includes at least: the first random factor and the user identity identification card certificate, and the second ciphertext information at least comprises a second random factor and a third random factor;

specifically, the communication module 101 receives the call of the processing module 110, and is configured to receive the first authentication information and the information to be processed, and output the second authentication information, the second ciphertext information, and the processing information. Wherein:

the first authentication information is the authentication information sent by the security part of the mobile phone to the user identity identification card and is used for authenticating the validity of the security part of the mobile phone; the information to be processed, that is, the information sent to the user identification card by the security part of the mobile phone, may be confidential information needing secure transmission, or may be any information such as transaction information to be transacted in the internet bank. If the invention is applied to the secure transmission of the confidential information, the information can be the confidential information which needs to be output by the mobile phone, such as: confidential information and the like acquired by the mobile phone from the security storage area of the mobile phone; if the invention is applied to online banking, the information may be transaction information of a transaction to be performed, such as: and the mobile phone acquires transaction information such as a transaction account number, a transaction amount and the like through the online banking client.

The second authentication information, namely the authentication information sent by the user identity identification card to the security part of the mobile phone is used for the security part of the mobile phone to authenticate the legality of the user identity identification card; the first ciphertext message may carry a part of factors in a negotiation key generated by the security part of the mobile phone and used for generating mutual negotiation between the user identification card and the security part of the mobile phone; certainly, the second ciphertext information may also carry part of factors in a negotiation key generated by the user identity card and/or generated by the security part of the mobile phone and sent to the user identity card for generating mutual negotiation between the user identity card and the security part of the mobile phone;

the processing information is the information which is sent by the user identity identification card to the security part of the mobile phone and responds to the information to be processed, if the method is applied to the security transmission of the confidential information, the processing information can be the signed confidential information and the like; if the invention is applied to the online banking business, the processing information can be the signed transaction information and the like.

Of course, the processing information may also include: the symmetric algorithm module 107 performs encryption calculation on the signature information according to the negotiation key to obtain encrypted information, wherein the signature information is obtained by performing signature calculation on the information to be processed according to the private key of the user identity identification card by the public key algorithm module 106; or

The processing information includes: the symmetric algorithm module 107 performs verification calculation on the signature information according to the negotiation key to obtain verification information and signature information, wherein the signature information is obtained by performing signature calculation on the information to be processed according to the private key of the user identity identification card by the public key algorithm module 106; or

The processing information includes: the symmetric algorithm module 107 performs encryption calculation on the signature information according to the negotiation key to obtain encryption information and verification information obtained by performing verification calculation on the signature information, wherein the signature information is obtained by performing signature calculation on the information to be processed according to the private key of the user identity identification card by the public key algorithm module 106; or

The processing information includes: the symmetric algorithm module 107 performs encryption calculation on the signature information according to the negotiation key to obtain encrypted information and verification information obtained by performing verification calculation on the encrypted information, wherein the signature information is obtained by performing signature calculation on the information to be processed according to the private key of the user identification card by the public key algorithm module 106.

Therefore, the user identification card can ensure the security of signature information transmission while transmitting the processing information.

The communication module 101 may be any interface such as a serial port, a USB interface, an NFC interface, a bluetooth interface, an infrared interface, a button, or an audio interface.

The secure storage module 105 is further configured to store a private key of the user identification card, a certificate of the user identification card, and a public key of the certificate to be authenticated;

specifically, the secure storage module 105 stores a private key for performing signature calculation, a negotiation key for performing encryption/decryption calculation and/or verification calculation, and also specifically stores a private key of the user identification card, so as to receive the call of the processing module 110, and perform signature operation in secret information transmission and/or signature operation of an internet bank; storing the certificate of the user identification card so as to be called by the processing module 110, and sending the certificate of the user identification card to the security part of the mobile phone for legality authentication of the user identification card, so that the security is improved; the public key of the certificate to be authenticated is stored so as to be called by the processing module 110, so that the user identification card authenticates the security part of the mobile phone, and the security is improved.

The public key algorithm module 106 is used for performing signature verification calculation on the ciphertext signature information through a public key of the certificate to be authenticated and performing authentication calculation on the certificate to be authenticated;

specifically, the public key algorithm module 106 is configured to receive the call of the processing module 110, and perform signature verification calculation on the ciphertext signature information sent by the secure portion of the mobile phone through the public key of the certificate to be authenticated, so as to verify the correctness of the ciphertext signature information; meanwhile, the call of the processing module 110 is received, and the certificate to be authenticated is authenticated and calculated, so that the validity of the security part of the mobile phone is authenticated.

The symmetric algorithm module 107 is further configured to perform decryption calculation on the first ciphertext information, and perform encryption calculation on at least the second random factor and the third random factor to obtain second ciphertext information;

specifically, the symmetric algorithm module 107 is specifically configured to receive the call of the processing module 110, decrypt the first ciphertext information to obtain a factor for generating the negotiation key, and also configured to receive the call of the processing module 110, perform encryption calculation on the factor for generating the negotiation key, so as to send the factor for generating the negotiation key to the secure portion of the mobile phone securely. Certainly, the symmetric algorithm module 107 of this embodiment may also be configured to perform decryption calculation and/or verification calculation on the information to be processed, and after the security portion of the mobile phone performs encryption calculation and/or verification calculation on the information to be processed, in order to verify the integrity and the authenticity of the information to be processed, the symmetric algorithm module 107 may also perform decryption calculation and/or verification calculation on the information to be processed, and of course, the symmetric algorithm module 107 of this embodiment may also receive the call of the processing module 110, and perform encryption calculation and/or verification calculation on the information to be processed, so as to ensure the authenticity and the integrity of the information to be processed.

A random number module 108, further configured to generate a first random factor and a third random factor;

specifically, the random number module 108 is specifically configured to generate a first random factor for preventing replay attack, and generate a third random factor for generating a negotiation key, and accept the invocation of the processing module 110.

The processing module 110 is further configured to, after the public key algorithm module 106 is called to pass the authentication of the certificate to be authenticated, call the public key algorithm module 106 to perform signature verification calculation on the ciphertext signature information, and after the signature verification passes, call the symmetric algorithm module 107 to decrypt the first ciphertext information to obtain a second random factor, call a third random factor generated by the random number module 108, and call the symmetric algorithm module 107 to perform encryption calculation on the second random factor and the third random factor to obtain second ciphertext information. Specifically, the processing module 110 calls the above modules so as to authenticate the certificate sent by the security part of the mobile phone, check the signature sent by the security part of the mobile phone, decrypt the ciphertext sent by the security part of the mobile phone to obtain a generation factor of the negotiation key, then call the generation factor of the generated another negotiation key, and generate the negotiation key of the user identification card end together according to the generation factor sent by the security part of the mobile phone and the generation factor generated by the user identification card, so that the security part of the mobile phone and the user identification card perform information interaction through the negotiation key, and the security of the information interaction is improved.

Example 2

In this embodiment, the structure of the user identification card is as shown in fig. 1, in this embodiment, a factor for generating a negotiation key is calculated by a symmetric key between the user identification card and the secure portion of the mobile phone, and the negotiation key is generated in a manner of mutual transmission and verification, so that the user identification card and the secure portion of the mobile phone perform secure transmission of information by using the generated negotiation key. Wherein:

the communication module 101 is further configured to receive the first check information and the information to be processed, and output second check information and processing information; the first check information is obtained through calculation of a first random factor, and the second check information is obtained through calculation of a second random factor;

specifically, the communication module 101 receives the call of the processing module 110, and is configured to receive the first check information and the information to be processed, and output the second check information and the processing information. Wherein:

the first check information is obtained by the security part of the mobile phone through the check calculation of a first random factor by a first secret key, the user identification card obtains the first check information and obtains a real first random factor which is not tampered after verification, and the first random factor can be generated by the security part of the mobile phone or generated by the user identification card and sent to the security part of the mobile phone safely; the information to be processed, that is, the information sent to the user identification card by the security part of the mobile phone, may be confidential information needing secure transmission, or may be any information such as transaction information to be transacted in the internet bank. If the invention is applied to the secure transmission of the confidential information, the information can be the confidential information which needs to be output by the mobile phone, such as: confidential information and the like acquired by the mobile phone from the security storage area of the mobile phone; if the invention is applied to online banking, the information may be transaction information of a transaction to be performed, such as: and the mobile phone acquires transaction information such as a transaction account number, a transaction amount and the like through the online banking client.

The second check information is obtained by the user identity card through checking calculation of the second random factor by the second key, so that the secure part of the mobile phone obtains the second check information and obtains the true second random factor which is not tampered after the verification is passed.

And the user identity identification card and the security part of the mobile phone generate negotiation keys of the user identity identification card and the mobile phone according to the first random factor and the second random factor which are respectively obtained.

The secure storage module 105 is further configured to store a private key of the user identification card, and a first key and a second key for performing authentication;

specifically, the secure storage module 105 stores a private key for performing signature calculation, a negotiation key for performing encryption/decryption calculation and/or verification calculation, and also specifically stores a private key of the user identification card, so as to receive the call of the processing module 110, and perform signature operation in secret information transmission and/or signature operation of an internet bank; the first key and the second key for verification are stored so as to be called by the processing module 110, and used for verifying the first verification information to obtain a real first random factor, and for performing verification calculation on the second random factor so that the secure part of the mobile phone obtains a real second random factor, thereby improving the security. Of course, the first key and the second key may be the same key or different keys, as long as the user id card and the secure portion of the mobile phone both store the same verification calculation key, which both belong to the protection scope of the present invention.

The symmetric algorithm module 107 is further configured to perform check calculation on the first check information through the first key, and perform check calculation on the second random factor through the second key to obtain second check information;

specifically, the symmetric algorithm module 107 is specifically configured to receive the call of the processing module 110, and perform verification calculation on the first verification information through the first key, so that the processing module 110 obtains a real first random factor after the verification is passed; the second random factor verification module is further configured to accept the call of the processing module 110, perform verification calculation on the second random factor through the second key to obtain second verification information, so as to securely transmit the second random factor, and ensure that the second random factor is not tampered during transmission, or even if the second random factor is tampered, it can be verified that the second random factor is tampered in the secure portion of the mobile phone, so that the secure portion of the mobile phone obtains the true second random factor that is not tampered. Certainly, the symmetric algorithm module 107 of this embodiment may also be configured to perform decryption calculation and/or verification calculation on the information to be processed, and after the security portion of the mobile phone performs encryption calculation and/or verification calculation on the information to be processed, in order to verify the integrity and the authenticity of the information to be processed, the symmetric algorithm module 107 may also perform decryption calculation and/or verification calculation on the information to be processed, and of course, the symmetric algorithm module 107 of this embodiment may also receive the call of the processing module 110, and perform encryption calculation and/or verification calculation on the information to be processed, so as to ensure the authenticity and the integrity of the information to be processed.

A random number module 108, further configured to generate at least a second random factor;

specifically, the random number module 108 is specifically configured to generate a second random factor for generating the negotiation key, and accept the call of the processing module 110.

The processing module 110 is further configured to, after the first key stored in the secure storage module 105 and the symmetric algorithm module 107 are called to verify the first verification information, and after the verification passes, call a second random factor generated by the random number module 108, and call the symmetric algorithm module 107 to perform verification calculation on the second random factor to obtain second verification information. Specifically, the processing module 110 is configured to invoke the above modules, so as to verify the verification information sent by the secure portion of the mobile phone, and obtain the negotiation key generation factor to generate the negotiation key of the user identification card end, so that the secure portion of the mobile phone and the user identification card perform information interaction through the negotiation key, and the security of the information interaction is improved.

Example 3

In this embodiment, the structure of the user identification card is as shown in fig. 1, in this embodiment, a public key of the other party is generated between the user identification card and the secure portion of the mobile phone, so that the negotiation key is generated in a manner that a factor for generating the negotiation key is encrypted and transmitted and decrypted by the public key of the other party to obtain the factor for generating the negotiation key, so that the user identification card and the secure portion of the mobile phone perform secure transmission of information by using the generated negotiation key. Wherein:

the communication module 101 is further configured to receive the first ciphertext information and the information to be processed, and output second ciphertext information and processing information; the first ciphertext information is obtained by carrying out encryption calculation on the first random factor through a public key of the user identity identification card, and the second ciphertext information is obtained by carrying out encryption calculation on the second random factor through a public key of the module to be interacted;

specifically, the communication module 101 receives the call of the processing module 110, and is configured to receive the first ciphertext information and the information to be processed, and output the second ciphertext information and the processing information. Wherein:

the first ciphertext information is obtained by encrypting and calculating a first random factor by a security part of the mobile phone through a generated public key of the user identity card, the user identity card obtains the first encrypted information and obtains a real first random factor after decrypting the first encrypted information by a private key of the user identity card, and the first random factor can be generated by the security part of the mobile phone or generated by the security part which is safely sent to the mobile phone; the information to be processed, that is, the information sent to the user identification card by the security part of the mobile phone, may be confidential information needing secure transmission, or may be any information such as transaction information to be transacted in the internet bank. If the invention is applied to the secure transmission of the confidential information, the information can be the confidential information which needs to be output by the mobile phone, such as: confidential information and the like acquired by the mobile phone from the security storage area of the mobile phone; if the invention is applied to online banking, the information may be transaction information of a transaction to be performed, such as: and the mobile phone acquires transaction information such as a transaction account number, a transaction amount and the like through the online banking client.

The second ciphertext information is obtained by the user identity card through carrying out encryption calculation on the second random factor through the public key of the module to be interacted generated by the user identity card, so that the secure part of the mobile phone can obtain the second ciphertext information and obtain the real second random factor after decrypting the second ciphertext information.

The secure storage module 105 is further configured to store a private key of the user identity card and a public key calculation algorithm for generating a public key of the module to be interacted;

specifically, the secure storage module 105 stores a private key for signature calculation, a negotiation key for encryption/decryption calculation and/or verification calculation, and also specifically stores a private key of the user identification card, so as to receive the call of the processing module 110, perform signature operation in confidential information transmission and/or signature operation of an internet bank, and the like, and meanwhile, can also receive the call of the processing module 110, decrypt information transmitted by the module to be interacted in an encrypted manner by using the public key of the user identification card; the public key calculation algorithm for generating the public key of the module to be interacted is stored so as to be called by the processing module 110, and the public key calculation algorithm module 106 and the public key algorithm module generate the public key of the module to be interacted (namely the public key of the security part of the mobile phone) according to the identification information of the security part of the mobile phone so as to encrypt the information needing to be sent to the security part of the mobile phone by the public key of the security part of the mobile phone, thereby ensuring the transmission security.

The public key algorithm module 106 is further configured to generate a public key of the module to be interacted according to a public key calculation algorithm and the identification information of the module to be interacted;

specifically, the public key algorithm module 106 is configured to receive the call of the processing module 110, and generate the public key of the module to be interacted according to the public key calculation algorithm and the identification information of the module to be interacted (i.e., the secure portion of the mobile phone), in addition to the signature calculation. The identification information of the module to be interacted may include, but is not limited to: serial number of mobile phone CPU, MAC address of mobile phone CPU, etc.

The symmetric algorithm module 107 is further configured to perform decryption calculation on the first ciphertext information through a private key of the user identity card, and perform encryption calculation on the second random factor through a public key of the module to be interacted;

specifically, the symmetric algorithm module 107 is specifically configured to accept the call of the processing module 110, decrypt the first ciphertext information through the private key of the user id card, so as to obtain a factor for generating the negotiation key, and also is configured to accept the call of the processing module 110, perform encryption calculation on the factor for generating the negotiation key through the public key of the module to be interacted, so as to send the factor for generating the negotiation key to the secure portion of the mobile phone securely. Certainly, the symmetric algorithm module 107 of this embodiment may also be configured to perform decryption calculation and/or verification calculation on the information to be processed, and after the security portion of the mobile phone performs encryption calculation and/or verification calculation on the information to be processed, in order to verify the integrity and the authenticity of the information to be processed, the symmetric algorithm module 107 may also perform decryption calculation and/or verification calculation on the information to be processed, and of course, the symmetric algorithm module 107 of this embodiment may also receive the call of the processing module 110, and perform encryption calculation and/or verification calculation on the information to be processed, so as to ensure the authenticity and the integrity of the information to be processed.

The processing module 110 is further configured to invoke the symmetric algorithm module 107 to decrypt the first ciphertext information according to the private key of the user id card to obtain a first random factor, invoke the public key calculation algorithm stored in the secure storage module 105 and the public key algorithm module 106 to generate a public key of the module to be interacted, invoke the second random factor generated by the random number module 108, and invoke the symmetric algorithm module 107 to perform encryption calculation on the second random factor according to the public key of the module to be interacted to obtain second ciphertext information. Specifically, the processing module 110 is configured to invoke the above modules, so as to decrypt encrypted information sent by the secure portion of the mobile phone to obtain a generation factor of the negotiation key, and generate a public key of the secure portion of the mobile phone according to identification information of the secure portion of the mobile phone, so that the negotiation key generation factor generated by the user id card end can be safely transmitted to the secure portion of the mobile phone, and meanwhile, the negotiation key of the user id card end is generated according to the negotiation key, so that information interaction is performed between the secure portion of the mobile phone and the user id card through the negotiation key, and the security of information interaction is improved.

Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process, and alternate implementations are included within the scope of the preferred embodiment of the present invention in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the present invention.

It should be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.

It will be understood by those skilled in the art that all or part of the steps carried by the method for implementing the above embodiments may be implemented by hardware related to instructions of a program, which may be stored in a computer readable storage medium, and when the program is executed, the program includes one or a combination of the steps of the method embodiments.

In addition, functional units in the embodiments of the present invention may be integrated into one processing module, or each unit may exist alone physically, or two or more units are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. The integrated module, if implemented in the form of a software functional module and sold or used as a stand-alone product, may also be stored in a computer readable storage medium.

The storage medium mentioned above may be a read-only memory, a magnetic or optical disk, etc.

In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.

Although embodiments of the present invention have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present invention, and that variations, modifications, substitutions and alterations can be made in the above embodiments by those of ordinary skill in the art without departing from the principle and spirit of the present invention. The scope of the invention is defined by the appended claims and equivalents thereof.

Claims

1. A user identification card, comprising: the system comprises a processing module, a communication module, a security authentication module, a permission control module, a security protection module, a security storage module, a public key algorithm module, a symmetric algorithm module, a random number module and a hash module;

the communication module is used for receiving and outputting information;

the public key algorithm module is used for carrying out signature calculation;

a random number module for generating a random factor;

the hash module is used for carrying out hash calculation;

2. The SIM card of claim 1,

3. The SIM card of claim 1,

4. The SIM card of claim 1,

5. The subscriber identity card according to any one of claims 2 to 4,

6. The subscriber identity card according to any one of claims 2 to 5,

the processing module is further configured to invoke the hash calculation of the hash module to obtain the signature information when the public key algorithm module performs signature calculation on the information to be processed according to the private key of the user identification card.

7. The subscriber identity card according to any one of claims 2 to 6,

the symmetric algorithm module is also used for carrying out decryption calculation and/or verification calculation on the information to be processed.

8. The sim card according to any one of claims 1 to 7, wherein the communication module comprises: serial port, USB interface, NFC interface, bluetooth interface, infrared interface, button or audio interface.

9. The sim card according to any one of claims 1 to 8, wherein the protection operation comprises: frequency scrambling, power consumption scrambling, computational scrambling or balanced computation.

10. The sim card according to any one of claims 1 to 9, wherein the rights control module is further configured to control execution of code and/or applications.